“There is so much confusion and inconsistency in how risk is defined, measured, and communicated in the cybersecurity industry,” Jack writes. While senior government and business leaders expect risk “to be measured as the likelihood and impact of adverse events,” risk analysts frequently identify as risks “cyber criminals”, “the cloud”, “weak passwords” and other things that aren’t events, and so can’t be assessed as risks.

Homeland Security and other agencies should start defining and measuring risk according to an objective, quantitative standard, Jack writes, “otherwise, the danger exists that a false sense of improved security will creep in, which could lead to even more misguided decisions.”